My point, especially if you read this post fully, and the following, is
that not displaying the banner is minimally useful, and that other
measure to achieve the same goal (protect user when they mistakes) are
far more useful/meaninful than eliminating the banner.
Regards,
Daniel
On 2015-09-13 11:34 AM, MauritsVB wrote:
I see where you’re coming from but I disagree that one should always rely on
the user to know exactly what to do and what not to do. A bit of basic
prevention doesn’t hurt.
Wouldn’t you agree that if you follow that line you might as well argue that
OpenWRT should not come with default-deny rules in the firewall? After all,
anyone who is savvy enough to install OpenWRT should then also know that by
default it has no firewall rules.
There is a reason that not displaying too much information in banners is good
security practice. It slows down the reconnaissance phase of an attack (using
“banner grabbing” tools) and can persuade many attackers to even skip a
specific target. Even for complex server software and hardware that requires
far more expert operators than OpenWRT it is still best practice not to give
too much away about the specific version. It’s why companies such as Cisco and
Juniper advise not to disclose version information in banners.
Of course, by not displaying by default but making it a configurable option any
admin who requires if for support purposes could still enable it.
As for your idea about warning users that their LuCI is reachable via WAN, I
agree, that definitely makes sense. However, I see that as a separate issue
from displaying security sensitive information on the login page.
Maurits
On 13 Sep 2015, at 15:28, Daniel Dickinson <open...@daniel.thecshore.com> wrote:
Quite frankly if someone has unintionally exposed LuCI to the internet I think
they've got a lot bigger problem than exposed version information, and that not
putting the version information at best delays only very slightly a would be
attacker.
And for properly configured installs, the version information is extremely
useful for doing support and such like.
Not that it likely means much, by vote is against such weak bandaid to what is
fundamentally an issue a user creates for themselves that is much larger than
the details of what's on the screen.
What would be more relevent solution is for LuCI to have a banner that
indicates that the LuCI is visible on the WAN, thus alerting the user to a
misconfiguration, if it is that.
Regards,
Daniel
On 2015-09-13 10:21 AM, MauritsVB wrote:
At the moment the OpenWRT www login screen provides *very* detailed version
information before anyone has even entered a password. It displays not just
“15.05” or “Chaos Calmer” but even the exact git version on the banner.
While it’s not advised to open this login screen to the world, fact is that it
does happen intentionally or accidentally. Just a Google search for “Powered by
LuCI Master (git-“ will provide many accessible OpenWRT login screens,
including exact version information.
As soon as someone discovers a vulnerability in a OpenWRT version all an
attacker needs to do is perform a Google search to find many installations with
versions that are vulnerable (even if a patch is already available).
In the interest of hardening the default OpenWRT install, can I suggest that by
default OpenWRT doesn’t disclose the version (not even 15.05 or “Chaos Calmer”)
on the login screen? For extra safety I would even suggest to leave “OpenWRT”
off the login screen, the only people who should use this screen already know
it’s running OpenWRT.
Any thoughts?
Maurits
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
